[DOCS] `claude mcp list/get` docs omit secret-safe terminal output behavior

Open 💬 2 comments Opened Jun 2, 2026 by coygeek

Documentation Type

Incorrect/outdated documentation

Documentation Location

https://code.claude.com/docs/en/mcp

Section/Topic

"Managing your servers" and "Environment variable expansion in .mcp.json"

Current Documentation

The docs currently say:

Once configured, you can manage your MCP servers with these commands: ``bash # List all configured servers claude mcp list # Get details for a specific server claude mcp get github ``

and later:

Environment variables can be expanded in: command - The server executable path args - Command-line arguments env - Environment variables passed to the server url - For HTTP server types * headers - For HTTP server authentication

The OAuth section also says:

Use claude mcp get <name> to verify that OAuth credentials are configured for a server

What's Wrong or Missing?

As of v2.1.161, claude mcp list, claude mcp get, and claude mcp add were changed so they no longer print secrets to the terminal: ${VAR} references are preserved instead of expanded in displayed output, and credential headers plus URL-embedded secrets are redacted.

The current docs still describe environment-variable expansion in .mcp.json and recommend claude mcp get <name> to verify OAuth configuration, but they do not explain the new safe-output behavior. That leaves two gaps:

A. CLI inspection behavior is underspecified

Readers are told to use claude mcp list and claude mcp get, but the docs do not say that these commands intentionally avoid printing resolved secrets.

B. The docs can imply unsafe verification patterns

Because the page explains that ${VAR} expands in url and headers, a reader can reasonably expect claude mcp get output to show the resolved value. After v2.1.161 that is no longer true, by design.

Suggested Improvement

Add a short note in the MCP management section clarifying the terminal-output contract for claude mcp list, claude mcp get, and claude mcp add.

Suggested wording:

Security note: when Claude Code prints MCP server configuration in the terminal, it redacts credential headers and URL secrets. ${VAR} placeholders from .mcp.json are shown as references and are not expanded in displayed output. Use these commands to confirm configuration shape and auth presence, not to reveal stored secret values.

Also update the OAuth verification note so claude mcp get <name> is described as confirming that credentials are configured without implying the secret itself will be shown.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Line(s) | Context |
|------|---------|---------|
| https://code.claude.com/docs/en/mcp | 141-159 | claude mcp list / claude mcp get management commands |
| https://code.claude.com/docs/en/mcp | 353-369 | .mcp.json environment-variable expansion for url and headers |
| https://code.claude.com/docs/en/mcp | 594-599 | OAuth note that says claude mcp get <name> verifies credentials |

Total scope: 1 page affected

This gap was surfaced by the Claude Code v2.1.161 release note: claude mcp list/get/add no longer print secrets to the terminal, preserve ${VAR} references in displayed output, and redact credential headers plus URL secrets.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗